In recent years, cloud computing (to be referred to as a cloud hereinafter) has rapidly become widespread since it can reduce the cost for information technology infrastructure (IT infrastructure) and operation management while ensuring the flexibility and extensibility of a service and improving the convenience. On the other hand, the security of the existing cloud is insufficient. Many companies cannot decide to introduce a public cloud due to concerns over security.
On the other hand, there is a growing need for groups comprising several members to be able to share data via cloud storage. This need is one of the major uses of the existing cloud. If, however, data is shared using an existing cloud, the following problems arise.
In an existing cloud service, to share data within a single group, one user uploads data to a cloud storage, and the members of the group download the data and use it.
However, in uploading, as shown in FIG. 12, data D on a communication path is protected by SSL/TLS but the data D in a cloud storage 1 is not encrypted. Therefore, the security of the data D in the cloud storage 1 depends on the trustworthiness of the cloud service. Since, for example, many companies and users use the cloud storage 1, there are concerns that other tenants may see data due to setting mistakes and that inappropriate authentication processing may be executed. In addition, data in the cloud storage 1 may be leaked by an insider, i.e., a server administrator.
To the contrary, in the existing cloud service, as shown in FIG. 13, a server may encrypt the data D based on a symmetric key k according to a symmetric key cryptosystem scheme, and save encrypted data E(k, D) in the cloud storage 1. In this case, the encrypted data E(k, D) in the cloud storage 1 is protected. However, a security problem still remains because the data D before encryption is not encrypted upon receiving (uploading) it, the decrypted data D is not encrypted upon distributing (downloading) it, and the server administrator can decrypt the encrypted data E(k, D).
Because of the above problems, many companies cannot decide to utilize the existing cloud.
As a method of solving these problems, data is encrypted before uploading it. This, however, degrades the convenience. For example, when data is encrypted using a conventional encryption technique and shared by a group, two methods can be used, (i) and (ii). Note that both the methods (i) and (ii) have merits and demerits, and there is a trade-off between the convenience and security. These methods (i) and (ii) will be described below.
(i) Method of Sharing Key of Group
As the merits of the method (i), data is always saved on the cloud while it is encrypted, and management of an encryption key is easy. As shown in FIG. 14, for example, when a group shares an encryption key ekGr1/decryption key dkGr1, and encrypts data based on public key cryptosystem, the encryption key ekGr1 and decryption key dkGr1 are paired. Both a member who uploads data and a member who downloads the data can readily manage the keys. Furthermore, since data can always be saved on the cloud while it is encrypted, concerns over security can be overcome.
As the demerits of the method (i), it is necessary to share the decryption key dkGr1 between the members, and a method of securely distributing/sharing the decryption key dkGr1 is required. Since, for example, the members share the decryption key dkGr1, the risk of leakage of the decryption key dkGr1 increases as the number of members increases. If the decryption key dkGr1 is leaked, it becomes necessary to update the decryption key dkGr1 shared by the group in order to prevent the leaked decryption key dkGr1 from being used, thereby degrading the convenience. In addition, if a member leaves the group, it becomes necessary to update the decryption key dkGr1 of other members in order to prevent the member that has left from decrypting data. A procedure performed when adding/deleting a member degrades the convenience.
As described above, the method (i) facilitates key management while imposing a problem about a key sharing method.
(ii) Encryption Method Using Keys of Members
As the merits of the method (ii), encrypted data is always saved on the cloud, and no key is shared between the members. For example, as shown in FIG. 15, when public key pkA/private key skA, . . . are created for members A, . . . , the data D is encrypted based on public key cryptosystem, and encrypted data E(pkA, D), . . . is saved in the cloud storage 1, it is not necessary to distribute/share keys since the private keys skA, . . . are not shared with other members. Therefore, even if a given member I leaks a private key skI, other members need not update the private key skI.
As the demerits of the method (ii), a member who performs encryption needs to manage the public keys pkA, . . . of the respective members, and adding a given member H to the group makes it necessary to re-encrypt the data D using a public key pkH of the added member H. For example, for a member who performs encryption, key management for the respective members becomes complicated, thereby degrading the convenience. If a member H is added, it is necessary for a member who performs encryption to encrypt the data D using the public key pkH of the added member H, and save the encrypted data in the cloud storage 1, thereby degrading the convenience.
As described above, in the conventional encryption techniques, there is a trade-off between the convenience and security.
As described above, when encrypted data is saved using the conventional encryption technique, there is a trade-off between the convenience and security.
A problem to be solved by the present invention is to provide a re-encryption system, re-encryption apparatus, and program, which allow the convenience and security to be compatible.